Page History
[updated on 2021 12 17 142022 03 07 18:00 GMT+1]
More about the issue: https://github.com/advisories/GHSA-jfh8-c2jp-5v3qFor more information, see CVE-2021-44228, CVE-2021-45046, CVE-2021-44832.
Table of Contents |
---|
Change log
Timestamp | Description |
---|---|
2022 03 07 18:00 GMT+1 | 2021x Refresh1 HF2 and 2021x Refresh2 HF2 (hot fixes) with log4j 2.17.1 version are released as Remediation option. Also, log4j 1.2 version removed from these hotfixes. Added CVE-2021-44832 to vulnerability list. |
2022 01 06 18:00 GMT+1 | Updated log4j version from 2.17.0 to 2.17.1 for modeling and collaboration tools in Remediation. Added additional note for collaboration tools v19.0 SPx in Remediation. |
2021 12 22 19:30 GMT+1 | 2021x Refresh1 and 2021x Refresh2 HF1 (hot fixes) with log4j 2.16.0 version are released as Remediation option. |
2021 12 20 21:00 GMT+1 | UpdatedRemediation options for modeling and collaboration tools. |
2021 12 20 16:30 GMT+1 | Added log4j version 2.17.0 for modeling and collaboration tools in Remediation. |
2021 12 17 14:00 GMT+1 | UpdatedRemediation options for modeling and collaboration tools. |
2021 12 17 13:00 GMT+1 | Updated log4j version from 2.15.0 to 2.16.0 for modeling and collaboration tools in Remediation. |
2021 12 16 14:00 GMT+1 | Added Cameo DataHub plugin to the list in Apache Log4j2 version 2.0-2.14.1 is a part of the following products, however it is not used for logging. No action to perform. |
2021 12 16 14:00 GMT+1 | Added information about FlexNet Publisher in Apache Log4j2 version 2.0-2.14.1 is a part of the following products. Action to perform. |
Apache Log4j2 version 2.0-2.
...
17.
...
0 is a part of the following products. Action to perform.
CATIA Magic portfolio
- Magic Collaboration Studio (release 2021x Refresh1, 2021x Refresh2)
- Magic Software Architect (release 2021x Refresh1, 2021x Refresh2)
- Magic Cyber Systems Engineer (release 2021x Refresh1, 2021x Refresh2)
- Magic Systems of Systems Architect (release 2021x Refresh1, 2021x Refresh2)
No Magic portfolio
- Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
- Cameo Collaborator for Teamwork Cloud (release 2021x Refresh1, 2021x Refresh2)
- MagicDraw (release 2021x Refresh1, 2021x Refresh2)
- Cameo Systems Modeler (release 2021x Refresh1, 2021x Refresh2)
- Cameo Enterprise Architecture (release 2021x Refresh1, 2021x Refresh2)
To Do: You have action to perform. See Remediation.
FlexNet Publisher
- lmadmin (FlexNet Publisher 64-bit License Server Manager)
To Do: You have action to perform, if you are using lmadmin Alerter Service. For more information, see here.
Apache Log4j2 version 2.0-2.
...
17.
...
0 is a part of the following products, however it is not used for logging. No action to perform.
CATIA Magic portfolio
- Magic Collaboration Studio (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
No Magic portfolio
- Cameo Collaborator for Teamwork Cloud (release 2021x, 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Teamwork Cloud (release 2021x , 19.0 SP1, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Cameo DataHub plugin (release 2021x Refresh1, 2021x Refresh2)
The following products and versions are NOT affected. No action to perform.
CATIA Magic portfolio
- Magic Software Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Magic Cyber Systems Engineer (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
- Magic Systems of Systems Architect (release 2021x, 19.0 SP2, 19.0 SP3, 19.0 SP4)
No Magic portfolio
- Teamwork Cloud (release 19.0)
- Teamwork Server (release 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
- Cameo Collaborator for Teamwork Cloud (release 19.0)
- MagicDraw (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
- Cameo Systems Modeler (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
- Cameo Enterprise Architecture (release 2021x, 19.0 and all service packs, 18.5 SP4, 18.0 SP7)
Remediation
For modeling tools (Magic Software Architect, Magic Cyber Systems Engineer, Magic Systems of Systems Architect , MagicDraw, Cameo Systems Modeler, Cameo Enterprise Architecture)
...
Option 1
Download and install 2021x Refresh1 HF2 (hot fix). This is a new full 2021x Refresh1 version build with log4j 2.17.1.
Download and install 2021x Refresh2 HF2 (hot fix). This is a new full 2021x Refresh2 version build with
...
log4j 2.
...
17.
...
1.
See Downloading installation files
Option 2
- Make sure application is not running
- Download log4j 2.17.1 from apache website (link)
- Search now for these jar files in installation base
- log4j-core-2.*.jar
- log4j-1.2-api-2.*.jar
- log4j-api-2.*.jar
- log4j-slf4j-impl-2.*.jar
- Replace any match by the 2.17.1 version. Make sure the original filename is unchanged. See example below.
- The replacing and renaming operations must be performed for all jar files found from the list
Example - if you find
Example:
...
log4j-core-2.11.2.jar:
...
- Remove log4j-core-2.11.2.jar
...
- Copy log4j-core-2.
...
- 17.
...
- 1.jar
...
- to the same location
- Rename log4j-core-2.
...
- 17.
...
- 1.jar
...
- to log4j-core-2.11.2.jar
Download same instructions CATIA_No_Magic_log4j_procedure_V4.pdfSee the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.
For collaboration tools (Magic Collaboration Studio, Cameo Collaborator for Teamwork Cloud, Teamwork Cloud)
Option 1
Download and install 2021x Refresh1 HF2 (hot fix). This is a new full 2021x Refresh1 version build with log4j 2.17.1.
Download
...
and install 2021x Refresh2 HF2 (hot fix). This is a new full 2021x Refresh2 version build with log4j 2.17.1.
See Downloading installation files
Option 2
In your installation base, please search for the following files: webapp.war, admin.war, collaborator.war, document-exporter.war, resource-usage-map.war, resources.war. If you do not find any result, you can stop the procedure here. Your installation does not contain web applications
If you find a match, you might need to replace log4j2 libraries inside each found war files (for example webapp.war). Please execute these steps:
- Make sure application is not running
- Download log4j 2.17.1 from apache website (link)
- Uncompress(unzip) webapp.war into any tmp folder
- Search now for these jar files among unzipped ones
- log4j-core-2.*.jar
- log4j-api-2.*.jar
Replace any match by the 2.17.1 version. Make sure the original filename is unchanged. See example below.
Note title For collaboration tools of 19.0 SPx version (Magic Collaboration Studio, Cameo Collaborator for Teamwork Cloud, Teamwork Cloud): - look for a file named org.apache.log4j-19.0.0.jar. Delete it if found.
- Compress(zip) all extracted files back to webapp_patched.war. Make sure files structure in new war is same as in original war.
- Replace original webapp.war with webapp_patched.war and restore name back to webapp.war
- Look for a folder named webapp next to webapp.war. Delete it if found.
- Start application
Example - if you find
Example:
...
log4j-core-2.11.2.jar:
...
- Remove log4j-core-2.11.2.jar
...
- Copy log4j-core-2.
...
- 17.
...
- 1.jar
...
- to the same location
- Rename log4j-core-2.
...
- 17.
...
- 1.jar
...
See the detailed procedure to mitigate the risk concerning the CVE-2021-44228 vulnerability.
- to log4j-core-2.11.2.jar
Download same instructions CATIA_No_Magic_log4j_procedure_V4.pdf